Windows 10 Management Scenarios: Mark Minasi Helps You Have Windows 10 Management Scenarios: Mark Minasi Helps You Have

Windows 10 Management Scenarios: Mark Minasi Helps You Have - PowerPoint Presentation

aaron . @aaron
Uploaded On 2017-06-10

Windows 10 Management Scenarios: Mark Minasi Helps You Have - PPT Presentation

Mark Minasi Writer Speaker Consultant helpminasicom Twitter mminasi join my newsletter at wwwminasicom Windows 10 Azure AD and the like offer us a lot of options so sometimes its a little hard to keep them straight ID: 558080

apps store aad windows store apps windows aad option azure app microsoft join identity bsp minasi msa portal config




Download Presentation from below link

Download Presentation The PPT/PDF document "Windows 10 Management Scenarios: Mark Mi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript


Windows 10 Management Scenarios: Mark Minasi Helps You Have Total Control for Every Budget

Mark Minasi

Writer, Speaker, Consultant


Twitter @


join my newsletter at www.minasi.comSlide2

Windows 10, Azure, AD and the like offer us a lot of options, so sometimes it's a little hard to keep them straightIn this session, I'll outline many of the combinations with an eye to

What it does

What it costsWhat are the ingredientsThis is all "200" levelAnd I'll demo what I can

Hello and Welcome!Slide3

Identity SolutionsWindows Store App ControlControlling Apps


corp data on personal devices safeWhatever else I have time forTopicsSlide4

"Don't Do Anything"Again, Microsoft supports Windows 7 until 2020, Windows 8 until 2023There is no rush unless you're running Windows 7 Professional, as the free upgrade to Windows 10 is only available for a year

First, Though, Remember Option OneSlide5

"Just keep doing what you're doing"If your Win 10 devices are running full Windows Pro or Enterprise, then group policies,


, PowerShell scripts, Ochestrator runbooks, workflows etc all work as well as they ever did

And Remember Option TwoSlide6

Identity in Windows 10

You've always had a lot of choices in where to store your identity and your machine's. Win 10 adds one t the mixSlide7

Enabling tech: Microsoft Accounts (MSAs) -- Hotmail, live, outlook.com accountsWhat it does:

gives you an identity recognized by your computer and many Web locations

Lets you sync some settings between devicesMachine is registered with Microsoft for sync and auth purposesLets Store apps roam with your accountMinimal MDM… password minimums, scripts can sometimes fill in

Works on a wide variety of devices




Fine for homes or very, very small orgs

Option One: Local AccountsSlide8

Ingredients: DCs, network, "full" WindowsWhat it does: Rich device, app, and security management via group policies

App roaming via group policies or

Config ManagerDesktop roaming via roaming profiles and folder redirectionWide software libraryCost: AD infrastructure, CALsOf little or no value for phones, non-Microsoft tablet devices

Can only join one domain

Option Two: AD-JoinedSlide9

Ingredients: AAD, probably O365, Win 10 devicesSteps: enable device join in Azure, Create AAD accounts (either sync them or create new ones)

What it does:

Enables Conditional Access for filesMDM via third party, inTuneProvides identity for Store appsCost: O365 or AAD charges per-userNo on-prem

required; can only join one AAD; can't be joined to an AD

Option 3: Azure AD, Cloud Join Slide10

Demo: Azure AD Device Registration and Cloud JoinSlide11

Deploying Apps to Devices

Acquiring Modern/Store/Universal apps and getting them on Windows 10 devicesSlide12

Ingredients: an MSA (Microsoft Account), credit cardWhat it does:Lets you get any application in the Windows store onto a compatible device

Remembers your apps and roams them to devices

You can put your LOB apps into the Store (but the world sees them)You can sideload LOB apps you don't want to put in the storeDeploy LOBs with add-appxpackage

Requires organizational users have credit cards

Limited org data governance

Option One: Use the Windows StoreSlide13

Demo: New Windows Store (kind of)Slide14

BusinessStore.Microsoft.comCost: Nothing -- all Web-basedIngredients: Azure AD accounts or MSA

Log onto BSP with your MSA, get personal apps

Log onto the Business Store Portal with your AAD creds, see the org's appsAdmin can block categories like "Food and Dining"Can create a category for the organizationCan acquire X copies of the app for the org

Option Two: Business Store Portal (BSP)Slide15

Accepts payments besides credit cards -- PO or invoiceYou can download the Appx

package for the modern app

Once you have the package, you can deploy offline, or install with PowerShell Add-AppXPackageAdmin can control app licenses (portal is there)No inTune needed, no Config

Manager needed

LOBs have to go into the store to be accessible

Option Two, ContinuedSlide16

Admin sets up the BSP with an admin-level AAD account with a browserUser logs in with AD, AAD, or MSA account to the Store

Apps are automatically updated via the Store (actually the Store service)

Admin can explicitly assign an app to a user, so the user need do nothing, or have it appear in the StoreMore DetailsSlide17

Ingredients: inTune or Config


appx packages acquired from the BSP, AAD or MSA accountCost: inTune licences or perhaps System Center licensesAdditions:

Apps can be delivered with an MDM/MAM tool

LOB apps need


be uploaded to the store and can be


Store apps can be delivered even when systems are offline or if the Store has been disabled

Option Three: Create an Enterprise StoreSlide18

You can deploy Desktop apps as wellYou can do B2B distribution(And thus LOB and B2B apps can be kept private)

User logs onto the Company Store rather than Store

If you use an MDM…Get the apps as beforeIn the service, link to the apps' locations in the storeWhen the user logs in with an AD or AAD account, the MDM/MAM deploys the app

Option Three ContinuedSlide19

BSP, get apps, download appxSet the


out either as packages to be deployed, or put them in the Company StoreSCCM DetailsSlide20

You can control the automatic updates, can schedule them rather than now, which does updates as soon as possibleAPIs expose the whole thing and support agent-based solutions like


ManagerWhen you leave an organization and can no longer sign on with AD or AAD, you lose access to the org apps and their data storesOf course, you always have your MSA appsOther DetailsSlide21

Controlling Apps in Windows 10

Reducing friction getting to apps we


people to run, and blocking the things we


want them runningSlide22

Server 2008 introduced Terminal Services RemoteAppsBasically it delivers a RDS session inside a window, looking like a local app

Never really caught on in the Windows world, but it's popular in the Citrix world

Azure, however, has RemoteAppsAzure RemoteAppsSlide23

Build an Azure image with the appLog onto the portal, go to RemoteApps

Deploy as icons or paths

Must survive a SysprepDeploy to users via Azure Portal, something easier is probably on the wayNo Modern apps


on any Windows… but Win 10 speeds it up



As we all know, most IT pros' favorite malware delivery tool is a USB stickDeviceGuard in Windows 10 slows that down

You have a list of approved executables, or perhaps a rule to "only run signed code," or code signed by some party

Comes with a signing tool that lets you sign your in-house stuff in case you don't have a PKI in placeDeviceGuard: Crush USB MalwareSlide25

There's a GP setting that said "you can only elevate signed apps," and there was AppLocker

But they're little-used and could be bypassed by a local admin

Win 10, however, uses a Virtual Secure Mode (VSM) wherein Hyper-V hosts a mini-Windows where the LSA runs in 1 GB of RAMProvides a virtual TPM for VMsMay need 2016 Server's AD

"Wait a Minute, Haven't I Heard This Before…"Slide26

Off by defaultIn Group Policies: Computer / Admin Templates / System / DeviceGuard

, Turn On Virtualization Based Security

Will not work unless your system uses Secure BootEnabling ItSlide27

Thanks for attending, please do an evaluationJoin my newsletter mailing list at www.minasi.com

Thank You! Follow me at @

mminasi Slide28